b"OFFICE OF INSPECTOR GENERAL\n\n\nAUDIT OF THE MILLENNIUM\nCHALLENGE CORPORATION\xe2\x80\x99S\nIMPLEMENTATION OF\nSELECTED KEY PROJECT\nCONTROLS FOR THE MCC\nINTEGRATED DATA ANALYSIS\nSYSTEM\n\nAUDIT REPORT NO. M-000-11-002-P\nJanuary 31, 2011\n\n\n\nWASHINGTON, D.C.\n\x0c          \xc2\xa0\n          Office\xc2\xa0of\xc2\xa0Inspector\xc2\xa0General\xc2\xa0\n          \xc2\xa0\xc2\xa0for\xc2\xa0the\xc2\xa0Millennium\xc2\xa0Challenge\xc2\xa0Corporation\xc2\xa0\n\n\nJanuary 31, 2011\n\nThe Honorable Daniel W. Yohannes\nChief Executive Officer\nMillennium Challenge Corporation\n875 Fifteenth Street, NW\nWashington, DC 20005\n\n\nDear Mr. Yohannes:\n\nThis letter transmits the Office of Inspector General\xe2\x80\x99s final report on the Audit of the Millennium\nChallenge Corporation\xe2\x80\x99s Implementation of Selected Key Project Controls for the MCC\nIntegrated Data Analysis System. In finalizing the report, we considered your written comments\non our draft report and included those comments in their entirety in Appendix II of this report.\n\nThe report contains nine recommendations to strengthen the Millennium Challenge\nCorporation\xe2\x80\x99s project management capabilities for information technology projects. We have\nreviewed your comments and determined that management decisions have been reached on all\nnine recommendations in the audit report.\n\nI appreciate the cooperation and courtesy extended to my staff during this audit.\n\nSincerely,\n\n\nAlvin A. Brown /s/\nAssistant Inspector General\nMillennium Challenge Corporation\n\n\n\n\nMillennium Challenge Corporation\n1401 H Street, NW\nSuite 770\nWashington, DC 20005\nwww.usaid.govoig\n\x0cCONTENTS\nSummary of Results ....................................................................................................... 1\nAudit Finding ................................................................................................................... 3\n          Key Project Controls Not Incorporated Into MIDAS Project .................................. 3\nEvaluation of Management Comments ....................................................................... 12\nAppendix I \xe2\x80\x93 Scope and Methodology ........................................................................ 13\nAppendix II \xe2\x80\x93 Management Comments ....................................................................... 14\nAppendix III \xe2\x80\x93 Additional Background Information ................................................... 17\n\x0cSUMMARY OF RESULTS\nOn September 27, 2007, the Millennium Challenge Corporation (MCC) awarded a\ncontract to develop the Business Intelligence and Data Storage system (page 17). The\nsystem would enable MCC to meet its strategic goals by enabling it to link financial\nmanagement and performance data, which would improve MCC\xe2\x80\x99s programmatic\neffectiveness, operational efficiency, and ability to show results. By March 2008, MCC\nrealized that the system did not function as intended and halted the project. In\nSeptember 2008, MCC modified the contract to refine the requirements. In addition,\nMCC renamed the project MCC Integrated Data Analysis System (MIDAS). In March\n2009, MCC began using MIDAS in some countries. To date, MCC has spent more than\n$6.9 million 1 against the contract.     Appendix III provides additional background\ninformation.\n\nThe objective of the audit was to determine if MCC implemented selected key project\ncontrols to meet cost, schedule, and performance goals for the MIDAS project. For this\naudit, selected key project controls were (1) risk management, (2) earned value\nmanagement, and (3) requirements management.\n\nMCC did not implement three key project controls to meet cost, schedule, and\nperformance goals (page 3). Specifically, MCC did not:\n\n      \xe2\x80\xa2   Manage MIDAS project risks (pages 3\xe2\x80\x934).\n      \xe2\x80\xa2   Use earned value management, which is a project management control tool\n          allowing visibility into technical, cost, and schedule planning; performance; and\n          progress for major information technology (IT) projects, as required (page 4).\n      \xe2\x80\xa2   Effectively manage the MIDAS requirements, which specify system capabilities\n          as well as its physical and performance limitations (pages 4\xe2\x80\x935).\n\nThe aforementioned problems occurred because MCC did not (1) consistently involve\nqualified staff and maintain appropriate staffing levels to manage the project (pages 5\xe2\x80\x936);\n(2) develop comprehensive policies and procedures for systems and service acquisition\n(pages 6\xe2\x80\x937); and (3) establish what project documentation should be prepared, updated,\nand maintained for IT projects (pages 7\xe2\x80\x938). As a result, MCC spent more than $6.9 million\nfor a system that only partially met its needs (page 8).\n\nThe report recommends that MCC:\n\n1. Develop a detailed, written plan to establish strong project management capabilities\n   for IT projects (page 9).\n\n2. Develop written earned value management policies and procedures for IT projects,\n   as required (page 10).\n\n3. Develop written policies and procedures to plan for, mitigate, monitor, and report on\n   risks to IT projects (page 10).\n\n\n1\n    Unaudited.\n\n\n                                                                                         1\n\x0c4. Update the Contracts Operating Manual to include procedures for including risk\n   management and earned value management in contracting actions, when required\n   (page 10).\n\n5. Develop written policies and procedures to obtain written approval for relying on a\n   contractor\xe2\x80\x99s systems development life cycle methodology (page 10).\n\n6. Develop written policies and procedures to address key decision points for IT\n   projects (page 10).\n\n7. Establish in writing what documentation must be prepared, updated, and maintained\n   for IT projects (page 10).\n\n8. Implement risk management, earned value management, and requirements\n   management for the MIDAS project before proceeding to the development phase to\n   build additional functionality for the system (pages 10\xe2\x80\x9311).\n\n9. Review MCC\xe2\x80\x99s IT project management capabilities and determine whether its\n   weaknesses should be reported, tracked, and monitored as a material weakness\n   pursuant to the Federal Managers Financial Integrity Act of 1982 (page 11).\n\nThe detailed findings are discussed in the next section of the report. Appendix I\ndescribes the audit\xe2\x80\x99s scope and methodology. MCC provided comments on the draft\nreport, which are included in their entirety in Appendix II. Management decisions have\nbeen reached on all nine recommendations (page 12).\n\n\n\n\n                                                                                    2\n\x0cAUDIT FINDING\nKey Project Controls\nNot Incorporated Into the\nMIDAS Project\nMCC did not implement risk management, earned value management (EVM), and\nrequirements management for MIDAS\xe2\x80\x94three key project controls to meet cost,\nschedule, and performance goals.\n\nRisk Management Not Performed \xe2\x80\x93 Part 39 of the Federal Acquisition Regulation\n(FAR) requires risk management be performed for IT contracts. Specifically:\n\n   \xe2\x80\xa2   Section 102(a) requires an agency to analyze risks, benefits, and costs before\n       entering into IT contracts. It further states that the contracting and program office\n       officials are both responsible for assessing, monitoring, and controlling risk when\n       selecting projects for investment and during program implementation.\n   \xe2\x80\xa2   Section 102(c) requires an agency to apply the appropriate techniques, such as\n       prudent project management, to manage and mitigate risk during the acquisition\n       of IT.\n\nFurthermore, a best practice for managing an IT project is to maintain a risk-monitoring\ntool. Specifically, the risk-monitoring tool should:\n\n   \xe2\x80\xa2   Identify project risks, such as schedule risk, cost risk, and program management\n       risk.\n   \xe2\x80\xa2   Apply a methodology for prioritizing risks based on probability of occurrence and\n       impact.\n   \xe2\x80\xa2   Include plans, such as a risk mitigation plan, to respond to risks.\n   \xe2\x80\xa2   Assign an individual to be responsible for each of the risks.\n\nMCC prepared a risk management plan dated September 2008 that included most of the\ninformation needed for managing risks, such as the methodology for performing risk\nmanagement for the project and risk categories. In addition, the risk management plan\nincluded an initial risk-monitoring tool for the project, which identified and evaluated risks\nand included plans to respond to risks.\n\nAlthough a prior project manager was aware that the plan and risk-monitoring tool\nexisted, no evidence was provided that the plan was ever used. Moreover, the current\nproject team was not aware of the plan, and therefore the plan was not updated and\nused to actively manage risks. For example, MCC did not identify and manage the\nfollowing risks:\n\n   \xe2\x80\xa2   Use of Rapid Application Development \xe2\x80\x93 The MIDAS contractor used rapid\n       application development by prototyping, which is a system development life cycle\n       methodology. (A system development life cycle methodology is the process of\n       developing information systems through investigation, analysis, design,\n       implementation, and maintenance.) However, MCC officials acknowledged that\n\n\n                                                                                            3\n\x0c        rapid application development was not an appropriate methodology to develop\n        MIDAS, as it is intended for small, low-risk projects with well-understood\n        requirements.\n    \xe2\x80\xa2   Use of Time-and-Materials Contract \xe2\x80\x93 MCC used a time-and-materials contract\n        for a substantial portion of the original MIDAS contact. However, time-and-\n        materials contracts do not encourage effective cost control and require almost\n        constant government surveillance. MCC officials acknowledged that there were\n        concerns with this contract type and later modified it.\n    \xe2\x80\xa2   Immaturity of MCC\xe2\x80\x99s IT Processes \xe2\x80\x93 The maturity of an organization\xe2\x80\x99s IT\n        processes is measured by how well those processes are developed, including\n        capability and control. MCC officials acknowledged that MCC was not mature\n        enough as an organization to handle a large, complex project such as MIDAS.\n\nEVM Not Used \xe2\x80\x93 EVM is a project management control tool that allows visibility into\ntechnical, cost, and schedule planning; performance; and progress for major IT projects.\nEVM not only encourages contractors to use effective internal cost and schedule\nmanagement control systems but also provides the manager with timely and consistent\ncost, schedule, and progress data.\n\nThe Office of Management and Budget (OMB) has issued guidance to (1) assist in\nmonitoring and improving project planning and execution and (2) fully implement EVM\nsystems for IT projects. In an August 2005 memorandum, 2 OMB requires agencies to:\n\n    \xe2\x80\xa2   Include EVM requirements in contracts.\n    \xe2\x80\xa2   Perform reviews to ensure that EVM systems meet established requirements.\n    \xe2\x80\xa2   Ensure that project performance goals are appropriate.\n\nIn addition, OMB requires EVM systems for developmental portions of investments and\nfurther requires EVM systems to be applied regardless of contract type (OMB Circular\nNo. A\xe2\x80\x9311, Part 7, \xe2\x80\x9cPlanning, Budgeting, Acquisition, And Management of Capital\nAssets\xe2\x80\x9d).\n\nFinally, the FAR identifies contracting requirements for EVM systems for major IT\ninvestments. The FAR states that, at a minimum, contracting officers must require\ncontractors to submit EVM system monthly reports for those contracts for which an EVM\nsystem applies (FAR Subpart 34.2, \xe2\x80\x9cEarned Value Management System\xe2\x80\x9d).\n\nHowever, MCC did not incorporate EVM into the MIDAS project. Specifically, MCC did\nnot (1) have an EVM system to use for the project or (2) incorporate EVM into MIDAS\ncontracting actions. Although the contractor may have used aspects of EVM for some\nproject tasks, MCC did not provide evidence that MCC used EVM as a project\nmanagement tool.\n\nIneffective Management of Requirements \xe2\x80\x93 Best practices indicate that effective\nrequirements management plays a vital role in producing a successful project.\nRequirements management includes:\n\n\n\n2\n OMB M-05-23, Improving Information Technology Project Planning and Execution, August 4,\n2005.\n\n\n                                                                                      4\n\x0c    \xe2\x80\xa2   Conducting sessions with key stakeholders to determine the initial requirements.\n    \xe2\x80\xa2   Revising and organizing requirements and negotiating priorities.\n    \xe2\x80\xa2   Having the requirements team detect areas that require more detail.\n    \xe2\x80\xa2   Ensuring that requirements documentation is clear and concise.\n    \xe2\x80\xa2   Evaluating requirements documentation to determine whether it satisfies the\n        business needs and is complete enough for design and construction to begin.\n\nThe two major types of requirements are functional and nonfunctional. Functional\nrequirements specify capabilities that the system will be able to perform in terms of\nbehaviors and operations. Nonfunctional requirements specify the physical and\nperformance limitations of the system, and serve as constraints on functional\nrequirements.\n\nMCC did not effectively manage the requirements for MIDAS. At the time MCC awarded\nthe original contract, MCC did not develop detailed functional requirements. However,\nas part of a September 2008 contract modification, MCC prepared reporting and data\nrequirements. Yet, requirements for compact development and budget formulation were\nnot developed, and therefore those functionalities were not included in the system as\nMCC planned in MCC\xe2\x80\x99s OMB Exhibit 300. In addition, although the original contract\nmentioned some high-level nonfunctional requirements, MCC did not prepare detailed\nrequirements for MIDAS. According to an MCC official, MCC initially planned to\noutsource the system, and nonfunctional requirements would have been the\nresponsibility of the contractor. However, at some point, MCC decided to host the\nsystem internally, but did not prepare nonfunctional requirements.\n\nMoreover, a requirements traceability matrix was not maintained to ensure that all\nrequirements, including changes, were documented and incorporated into MIDAS.\n\nReasons Key Project Controls Were Not Implemented \xe2\x80\x93 The aforementioned\nproblems occurred because MCC did not establish a disciplined approach to manage IT\nprojects. Specifically, as discussed below, MCC did not:\n\n    \xe2\x80\xa2   Consistently involve qualified staff and maintain appropriate staffing levels to\n        manage the project.\n    \xe2\x80\xa2   Develop comprehensive policies and procedures for systems and service\n        acquisition.\n    \xe2\x80\xa2   Establish what project documentation should be prepared, updated, and\n        maintained for IT projects.\n\n        Qualified Staff and Appropriate Staffing Levels Not Consistently Involved\nWith Managing MIDAS Project \xe2\x80\x93 OMB has recognized that qualified IT project\nmanagers are the first line of defense against cost overruns, schedule slippages, and\npoor performance. 3 In an April 2007 memorandum, OMB requires that project\nmanagers assigned to major acquisitions be acquisition certified. It further requires that\nproject managers assigned to IT investments meet the technical requirements of the\nFederal IT Project Manager Guidance Matrix (OMB Memorandum, The Federal\n\n\n3\n OMB Memorandum M-04-19, Information Technology (IT) Project Manager (PM) Qualification\nGuidance (July 24, 2004).\n\n\n                                                                                        5\n\x0cAcquisition Certification for Program and Project Managers, April 25, 2007). That matrix\nestablishes minimum competencies based on project complexity and risk.\n\nHowever, MCC did not have people with the right skills managing the MIDAS project.\nAlthough MCC began the MIDAS project with certified project managers, they were\nsubsequently reassigned, and for almost a year and a half MCC did not have a certified\nproject manager responsible for managing the project. In addition, neither MCC\xe2\x80\x99s Chief\nInformation Officer (CIO) nor any other staff with an IT background was involved with the\nproject for approximately 2 years. Because MCC\xe2\x80\x99s CIO is not positioned properly within\nMCC\xe2\x80\x99s organizational structure, he (1) does not have the authority to effectively\nimplement controls over MCC\xe2\x80\x99s IT projects and (2) can be overridden by upper\nmanagement since he is not a senior official. In a July 2010 audit report, OIG\nrecommended that MCC\xe2\x80\x99s Chief Executive Officer realign the CIO position to report\ndirectly to the Chief Executive Officer, as required. 4 However, MCC did not agree to\nimplement that recommendation. 5\n\nEqually important to having people with the right skills is assigning an appropriately\nsized project management team. Best practices show that, for smaller projects,\nresponsibility can be assigned solely to a project manager, but for larger projects,\nresponsibility should be shared by a project management team. The contractor staffing\nlevel increased from 7 to more than 20, at which point MCC officials admitted that it\nbecame virtually impossible for the project manager to provide adequate project\noversight. Moreover, the project manager had difficultly determining whether the\ncontractor\xe2\x80\x99s billings were correct.\n\n       Comprehensive Policies and Procedures for System and Services\nAcquisition Needed \xe2\x80\x93 The National Institute of Standards and Technology requires\norganizations to develop, disseminate, and periodically review and update the following\nformal documents:\n\n    \xe2\x80\xa2   System and services acquisition policy that (among other things) addresses\n        purpose, scope, roles, responsibilities, management commitment, coordination\n        among organizational entities, and compliance.\n    \xe2\x80\xa2   Procedures to implement the system and services acquisition policy and\n        associated system and services acquisition controls (Special Publication 800-53,\n        Revision 3, Recommended Security Controls for Federal Information Systems\n        and Organizations, August 2009).\n\nIn addition, recognizing the value of good project management, OMB required agencies\nto prepare EVM policies and procedures by December 31, 2005 (OMB M-05-23,\nImproving Information Technology Project Planning and Execution, August 4, 2005).\n\nMCC has prepared some policies and procedures that address system and service\nacquisition, particularly in its policies for information systems security 6 and Contracts\n\n4\n   OIG Audit Report No. M-000-10-003-P, Audit of the Millennium Challenge Corporation\xe2\x80\x99s\nImplementation of Key Components of a Privacy Program for Its Information Technology Systems\n(July 9, 2010).\n5\n  The OIG takes the position that no management decision was reached on the CIO realignment.\nMCC management disagrees.\n6\n  MCC\xe2\x80\x99s Information Systems Security Policy Millennium Challenge Corporation (May 4, 2010).\n\n\n                                                                                          6\n\x0cOperating Manual. 7 However, MCC did not develop comprehensive policies and\nprocedures for system and services acquisition, including EVM and risk management,\nwhich are imperative for the success of IT projects. Such policies and procedures\nshould address in-house systems development projects as well as acquisitions from\nexternal sources. Further, MCC needs policies and procedures for relying on a\ncontractor\xe2\x80\x99s EVM system, which include:\n\n    \xe2\x80\xa2   Performing surveillance and compliance of reviews of the EVM system to\n        demonstrate that the EVM system meets and continues to meet standards.\n    \xe2\x80\xa2   Establishing a performance baseline for the project and performing an integrated\n        baseline review. The review will provide a mutual understanding of risks inherent\n        in contractors' performance plans and underlying management control systems.\n\nIn addition, MCC\xe2\x80\x99s policies and procedures need to address the use of an appropriate\nsystems development life cycle methodology. An August 2010 OIG contractor audit\nreport 8 recommended that MCC document a systems development life cycle\nmethodology. However, MCC also did not develop policies and procedures to ensure\nthat an appropriate methodology is applied when MCC relies on a contractor. MCC\nofficials agreed that the CIO should approve of a contractor\xe2\x80\x99s proposed methodology.\n\nFinally, MCC did not develop policies and procedures to identify the required inputs or\noutputs (e.g., project risk reports and EVM reports) to move to the next phase of the\nproject. Such policies and procedures should also address which senior managers are\nresponsible for making such decisions and at what point those decisions should be\nmade.\n\n       Required Project Documentation Not Established \xe2\x80\x93 MCC did not establish\nwhat documentation should be prepared, updated, and maintained for IT projects.\nMCC\xe2\x80\x99s application of the documentation may vary by project depending on\npredetermined criteria, such as the importance of the system to the mission costs or\ncomplexity of the system, or visibility of the project.\n\nFor example, MCC did not consistently prepare an OMB Exhibit 300. OMB\xe2\x80\x99s policy for\nplanning, budgeting, acquisition, and management of major IT investments requires an\nExhibit 300.    It is used to manage the investment phase of the performance\nimprovement life cycle, which provides the foundation for sound IT management\npractices. OMB\xe2\x80\x99s guidance for Exhibit 300s specifically calls for a detailed risk\nmanagement plan as well as the use of EVM for IT projects. Although MCC prepared an\nExhibit 300 in 2008 for MIDAS, it did not prepare an Exhibit 300 in 2007 for the initial\ninvestment or in 2009 for the continuation of the project.\n\nAlso, MCC did not prepare a project charter for MIDAS. The project sponsor formally\nauthorizes the project by issuing a project charter that (1) establishes the requirements\nto satisfy needs, wants, and expectations and (2) assigns a project manager and\nauthority level. 9 Because MCC did not prepare a project charter, the project suffered\nfrom confusion regarding requirements as well as the responsibilities of the project\n\n7\n  MCC\xe2\x80\x99s Contracts Operating Manual, Chapter 7, \xe2\x80\x9cAcquisition Planning\xe2\x80\x9d (April 2008).\n8\n  Report No. M-000-10-004-P, Audit of the Millennium Challenge Corporation\xe2\x80\x99s Compliance with\nthe Federal Information Security Management Act of 2002 \xe2\x80\x93 Fiscal Year 2010 (August 31, 2010).\n9\n  Alternatively, a project charter may refer to other documents that include these items.\n\n\n                                                                                           7\n\x0cmanager. MCC officials explained that a senior manager was too involved with the\nproject and held meetings with and directed the MIDAS contractor without the\nknowledge and involvement of the project manager at that time. Those meetings\nresulted in constant changes in system requirements with little documentation and a\ndrastic increase in contractor staff. A project charter would have helped MCC avoid this\nconfusion.\n\nIn addition, MCC did not establish what templates, including the required frequency,\nshould be used for reporting to senior management on the project\xe2\x80\x99s status, risks, and\nprogress toward meeting its goals. Such reports could have provided information\nneeded to make informed decisions regarding whether to continue spending MCC\xe2\x80\x99s\nresources on the MIDAS project.\n\nImpact of Not Implementing Key Project Controls \xe2\x80\x93 As a result of not using EVM, risk\nmanagement, and requirements management, MCC spent more than $6.9 million 10 \xe2\x80\x94\n$0.2 million more than planned in the OMB Exhibit 300\xe2\x80\x94for a system that only partially\nmet its needs. Further, MCC did not meet its original, overly ambitious plan to have the\nsystem fully tested and operational by March 2008.\n\nIf MCC had managed project risks, some of the problems that have had a serious impact\non its ability to meet project cost, schedule, and performance goals could have been\nmitigated or avoided. For example, MCC wanted to allow Millennium Challenge Account\nstaff access to MIDAS via MCC\xe2\x80\x99s network. However, that access would have caused a\nsecurity threat. Therefore, MCC had to redesign the system\xe2\x80\x99s architecture, which\ncaused delays in project implementation. If MCC had used EVM, it could have made\ninformed decisions regarding whether to continue investing resources into the MIDAS\nproject. If MCC had managed requirements properly, it could have had better assurance\nof meeting business needs.\n\nIn addition, according to MCC management, MCC is scheduled to close out eight of its\ncompacts over the next year. However, without MIDAS, MCC may have difficulty tying\nthe results of those compacts to the money spent.\n\nIn an October 2010 assessment of MIDAS, 11 an MCC contractor determined that the\nMIDAS data collection process was very manual and labor intensive, and that users\nspent more time entering and validating data than performing data analyses. Further,\nreporting functions were limited, so users were unable to perform the data analyses\nrequired to perform their jobs. Therefore, many end users continued to use their own\nmanual processes to report on data. The assessment provided six options for MCC to\nconsider in moving forward with MIDAS.\n\nConclusion \xe2\x80\x93 As MCC considers its options for MIDAS, it is important to have a\ndisciplined project management process in place to meet cost, schedule, and performance\ngoals. An August 2007 MCC plan 12 recognized that a \xe2\x80\x9cproject management structure and\ndiscipline does not exist within MCC,\xe2\x80\x9d as MCC was only minimally successful in its\nprevious attempt to implement a project management initiative. It further recognized that\nlarge initiatives \xe2\x80\x9cwill require a robust project management environment to successfully\n\n10\n   Unaudited.\n11\n   MCC, MIDAS Independent Verification & Validation Assessment Report (October 12, 2010).\n12\n   MCC, Enterprise Architecture IT Transition Plan Version 1 (August 2007).\n\n\n                                                                                            8\n\x0cmanage the project portfolio through completion.\xe2\x80\x9d Therefore, the report recommended\nthat MCC reintroduce the project management program with the structure, discipline,\ntraining, and executive sponsorship to ensure success. However, according to MCC\nofficials, that recommendation was not implemented because MCC executives did not\nbelieve it was necessary. Nonetheless, because MCC has already exceeded the amount\nit planned to spend on a system that only partially met its needs, it is imperative that\nMCC implement a rigorous project management process before making new IT\ninvestments.\n\nTo address the extensive weaknesses in MCC\xe2\x80\x99s IT project management capabilities,\nMCC needs to take prompt corrective actions to address the recommendations in this\naudit report. Moreover, MCC needs to determine whether the IT project management\ncapabilities should be considered a material weakness, pursuant to the Federal\nManagers\xe2\x80\x99 Financial Integrity Act of 1982. Considering the program a material\nweakness will draw attention to the program, as progress in correcting the weaknesses\nwill be tracked and reported to OMB and Congress.\n\nNote that in response to a prior recommendation, 13 MCC added a dotted line from its\nCIO to the Chief Executive Officer in its organizational chart of the senior management\nteam. However, OIG does not believe that action is responsive to the intent of the\nrecommendation to have the CIO report directly to the Chief Executive Officer. For\nexample, the external website does not list MCC\xe2\x80\x99s CIO as a member of its senior staff.\nMoreover, OMB requires the CIO to report directly to the agency head:\n\n     While the organizational placement of the CIO is to be determined by the agency\n     head, the person selected should report to the agency head directly, and not\n     through another official. The CIO must actively participate, with the agency head\n     and other senior agency officials, in planning and budgeting deliberations,\n     support of work process redesign in areas being considered for IT investment,\n     and the development of information technology program performance measures\n     (OMB M-96-20, Implementation of the Information Technology Management\n     Reform Act of 1996, April 4, 1996).\n\nThe OIG is not making a recommendation in this report to address the fact that the CIO\nis not reporting directly to the Chief Executive Officer. This recommendation remains\nopen from the prior audit work. Recommendations 1 through 7 are directed to MCC\xe2\x80\x99s\nChief Executive Officer because the current placement of MCC\xe2\x80\x99s CIO within the\norganizational structure results in the CIO not having the authority to implement the\nrecommendations.\n\n     Recommendation 1.            We recommend that the Millennium Challenge\n     Corporation\xe2\x80\x99s Chief Executive Officer develop a detailed, written plan to establish\n     strong project management capabilities for information technology projects, with\n     sufficient responsibility, authority, and resources to apply disciplined practices.\n     The plan must include assigning a certified project manager to information\n     technology projects with the required minimum competencies based on project\n     risk and complexity.\n\n13\n   Recommendation 1 in OIG Audit Report No. M-000-10-003-P, Audit of the Millennium\nChallenge Corporation\xe2\x80\x99s Implementation of Key Components of a Privacy Program for Its\nInformation Technology Systems (July 9, 2010).\n\n\n                                                                                           9\n\x0cRecommendation 2.          We recommend that the Millennium Challenge\nCorporation\xe2\x80\x99s Chief Executive Officer develop written earned value management\npolicies and procedures for information technology projects, as required by Office\nof Management and Budget memorandum M-05-23. At a minimum, this must\ninclude:\n\n   \xe2\x80\xa2   Performing surveillance reviews of the earned value management\n       system.\n   \xe2\x80\xa2   Performing periodic compliance reviews of the earned value management\n       system.\n   \xe2\x80\xa2   Establishing a performance baseline.\n   \xe2\x80\xa2   Conducting an integrated baseline review.\n\nRecommendation 3.            We recommend that the Millennium Challenge\nCorporation\xe2\x80\x99s Chief Executive Officer develop written policies and procedures to\nplan for, mitigate, monitor, and report on risks to information technology projects.\n\nRecommendation 4.         We recommend that the Millennium Challenge\nCorporation\xe2\x80\x99s Director of Contracts and Grants Management, in collaboration\nwith the Chief Executive Officer, update the Contracts Operating Manual to\ninclude procedures for including risk management and earned value\nmanagement in contracting actions, when required.\n\nRecommendation 5.          We recommend that the Millennium Challenge\nCorporation\xe2\x80\x99s Chief Executive Officer develop written policies and procedures to\nobtain written approval for relying on a contractor\xe2\x80\x99s systems development life\ncycle methodology.\n\nRecommendation 6.          We recommend that the Millennium Challenge\nCorporation\xe2\x80\x99s Chief Executive Officer develop written policies and procedures to\naddress key decision points for information technology projects, including who is\nresponsible for making those decisions and what information should be used as\nthe basis for making those decisions.\n\nRecommendation 7.        We recommend that the Millennium Challenge\nCorporation\xe2\x80\x99s Chief Executive Officer, establish in writing what documentation\nmust be prepared, updated, and maintained for information technology projects\nbased on size and complexity of the project. At a minimum, this must include:\n\n   \xe2\x80\xa2   Office of Management and Budget Exhibit 300s\n   \xe2\x80\xa2   Project charters\n   \xe2\x80\xa2   Earned value management reports\n   \xe2\x80\xa2   Risk management plans and reports\n   \xe2\x80\xa2   Requirements documents\n   \xe2\x80\xa2   Reports to senior management\n\nRecommendation 8.         We recommend that the Millennium Challenge\nCorporation\xe2\x80\x99s Vice President for Compact Operations implement the following\n\n\n\n\n                                                                                       10\n\x0ccontrols for the MCC Integrated Data Analysis System project before proceeding\nto the development phase to build additional functionality for the MCC Integrated\nData Analysis System:\n\n   \xe2\x80\xa2   Risk management\n   \xe2\x80\xa2   Earned value management\n   \xe2\x80\xa2   Requirements management\n\nRecommendation 9.         We recommend that the Millennium Challenge\nCorporation\xe2\x80\x99s Senior Assessment Board review the Corporation\xe2\x80\x99s information\ntechnology project management capabilities and prepare a written determination\nregarding whether its weaknesses should be reported, tracked, and monitored as\na material weakness pursuant to the Federal Managers\xe2\x80\x99 Financial Integrity Act of\n1982.\n\n\n\n\n                                                                                    11\n\x0cEVALUATION OF\nMANAGEMENT COMMENTS\nThe Millennium Challenge Corporation (MCC) provided written comments to the draft\nreport that are included in their entirety in Appendix II. MCC agreed to take corrective\naction on all nine recommendations in the draft report.\n\nFor Recommendation 1, MCC agreed to develop a plan to establish project\nmanagement capabilities for IT projects by March 25, 2011. OIG considers that a\nmanagement decision has been reached.\n\nFor Recommendation 2, MCC agreed to develop a compliant earned value management\npolicy by May 20, 2011. OIG considers that a management decision has been reached.\n\nFor Recommendation 3, MCC agreed to develop an IT project risk management policy\nby April 8, 2011. OIG considers that a management decision has been reached.\n\nFor Recommendation 4, MCC agreed to update the Contracts Operating Manual to\ninclude procedures for incorporating risk management and earned value management in\ncontracting actions, when required. MCC plans to take final corrective action by March\n31, 2011. OIG considers that a management decision has been reached.\n\nFor Recommendation 5, MCC agreed to develop a corporate systems development life\ncycle (SDLC) policy by April 22, 2011. OIG considers that a management decision has\nbeen reached.\n\nFor Recommendation 6, MCC agreed to develop SDLC procedures to address key\ndecision points for IT projects by April 22, 2011. OIG considers that a management\ndecision has been reached.\n\nFor Recommendation 7, MCC agreed to develop SDLC procedures to address what\ndocumentation must be prepared, updated, and maintained for IT projects by April 22,\n2011. OIG considers that a management decision has been reached.\n\nFor Recommendation 8, MCC agreed to implement (1) risk management, (2) earned\nvalue management, and (3) requirements management for the MIDAS project before\nproceeding to the develop additional functionality for MIDAS. MCC plans to take final\ncorrective action by June 3, 2011. OIG considers that a management decision has been\nreached.\n\nFor Recommendation 9, MCC agreed to have its Senior Assessment Board make a\ndetermination of whether IT project management capabilities should be reported,\ntracked, and monitored as a material weakness pursuant to the Federal Managers\xe2\x80\x99\nFinancial Integrity Act of 1982. MCC plans to take final corrective action by May 20,\n2011. OIG considers that a management decision has been reached.\n\n\n\n\n                                                                                     12\n\x0c                                                                           APPENDIX I\n\n\n\nSCOPE AND METHODOLOGY\nScope\nThe Office of Inspector General (OIG) conducted this performance audit of the\nMillennium Challenge Corporation\xe2\x80\x99s (MCC) Integrated Data Analysis System (MIDAS) in\naccordance with generally accepted government auditing standards. Those standards\nrequire that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit\nobjective. We believe that the evidence obtained provides a reasonable basis for our\nfindings and conclusions based on our audit objective. To date, MCC has obligated\nalmost $7.4 million against the contract and paid the contractor more than $6.9 million.\nHowever, we did not audit these amounts, but instead focused on key project controls\nfor the MIDAS project.\n\nWe conducted our audit at MCC headquarters in Washington, DC, from August 12 to\nOctober 27, 2010. To answer the audit objective, we interviewed MCC staff and\nreviewed documentation related to MIDAS [formerly the Business Intelligence and Data\nStorage System (BIDS)]. Such documentation included the BIDS and MIDAS technical\nproposals, contract modifications, obligations spreadsheets, Office of Management and\nBudget (OMB) Exhibit 300 for MIDAS, a list of project management-certified employees,\ncontracting officer\xe2\x80\x99s technical representative designation, project monitor designation,\nand requirement specifications. We also observed MIDAS. We reviewed laws,\nregulations, OMB circulars and memorandums, and other guidance related to the audit\nobjective. The objective of this audit was to determine if MCC implemented selected key\nproject controls to meet MIDAS projects cost, schedule, and performance goals. Thus,\nwe focused on the following three significant controls: (1) risk management, (2) earned\nvalue management, and (3) requirements management.\n\nMethodology\nTo answer the audit objective, we reviewed key MIDAS project controls, which included\n(1) the risk management plan, (2) earned value management system, and\n(3) requirements management.\n\nWith regard to risk management, we used best practices to assess whether, for the\nMIDAS project, MCC performed (1) management planning, (2) monitoring, and (3)\nreporting. With regard to earned value management, we used OMB M-05-23, Improving\nInformation Technology (IT) Project Planning and Execution (August 4, 2005) to assess\nwhether, for the MIDAS project, MCC (1) performed earned value management systems\ncompliance and surveillance reviews, (2) incorporated earned value management\nsystem into contracts, and (3) conducted an integrated baseline review. We also\nassessed MCC senior management\xe2\x80\x99s use of earned value management system for\nMIDAS in accordance with OMB A-11, Part 7, Planning, Budgeting, Acquisition, and\nManagement of Capital Assets. With regard to requirements management, we\nconsidered the business needs identified in the MIDAS contract and OMB Exhibit 300 in\nassessing the MIDAS functional and nonfunctional requirements documents. However,\nwe did not perform requirements gathering and analyses.\n\n\n\n                                                                                     13\n\x0c                                                                              APPENDIX II\n\n\n\n   MANAGEMENT COMMENTS\n\n\n\n\nJanuary 14, 2011\n\nMEMORANDUM TO: Alvin A. Brown\n               Assistant Inspector General for the Millennium\n               Challenge Corporation\n\nFROM:                    Dennis Lauer /s/\n                         Chief Information Officer\n                         Millennium Challenge Corporation\n\nSUBJECT:                 MCC Comments on the Audit of the Millennium Challenge\n                         Corporation\xe2\x80\x99s Implementation of Selected Key Project\n                         Controls for the MCC Integrated Data Analysis System.\n\nThe Millennium Challenge Corporation (MCC) appreciates the opportunity to comment on\nthe audit of the MCC\xe2\x80\x99s Implementation of Selected Key Project Controls for the MCC\nIntegrated Data Analysis System. We acknowledge and consider your role vital in helping to\nstrengthen MCC\xe2\x80\x99s project management capabilities for information technology projects.\n\nOur Management Response to your recommendations follows.\n\nRecommendation No. 1: Develop a detailed, written plan to establish strong project\nmanagement capabilities for IT projects.\n\nManagement Response: MCC will develop a plan to establish project management\ncapabilities for IT projects by March 25, 2011.\n\nRecommendation No. 2: Develop written earned value management policies and procedures\nfor IT projects, as required.\n\nManagement Response: MCC will develop an Earned Value Management policy that is\nANSI-EIA 748A compliant by May 20, 2011.\n\n\n                                                                                       14\n\x0cRecommendation No. 3: Develop written policies and procedures to plan for, mitigate,\nmonitor, and report on risks to IT projects.\n\nManagement Response: MCC will develop an IT Project Risk Management policy by April\n8, 2011.\n\nRecommendation No. 4: Update the Contracts Operating Manual to include procedures for\nincluding risk management and earned value management in contracting actions, when\nrequired.\n\nManagement Response: MCC will update the Contracts Operating Manual to include\nprocedures for including risk management and earned value management in contracting\nactions, when required, by March 31 2011.\n\nRecommendation No. 5: Develop written policies and procedures to obtain written approval\nfor relying on a contractor\xe2\x80\x99s systems development life cycle methodology.\n\nManagement Response: MCC will develop an MCC corporate SDLC policy by April 22,\n2011.\n\nRecommendation No. 6: Develop written policies and procedures to address key decision\npoints for IT projects.\n\nManagement Response: MCC will develop SDLC procedures to address key decision points\nfor IT projects by April 22, 2011.\n\nRecommendation No. 7: Establish in writing what documentation must be prepared,\nupdated, and maintained for IT projects.\n\nManagement Response: MCC will develop SDLC procedures to address what\ndocumentation must be prepared, updated and maintained for IT projects by April 22, 2011.\n\nRecommendation No. 8: Implement risk management, earned value management, and\nrequirements management for the MIDAS project before proceeding to the development\nphase to build additional functionality for the system.\n\nManagement Response: MCC will implement risk management, earned value management\nand requirements management for the MIDAS project before proceeding to the development\nphase to build additional functionality for the system by June 3, 2011. This is in accordance\nwith Recommendations 1, 2, 3, and 5.\n\nRecommendation No. 9: Review MCC\xe2\x80\x99s IT project management capabilities and determine\nwhether its weaknesses should be reported, tracked, and monitored as a material weakness\npursuant to the Federal Managers Financial Integrity Act of 1982.\n\n\n\n\n                                                                                           15\n\x0cManagement Response: MCC will refer this to the Senior Assessment Board (SAB) for a\ndetermination of whether IT project management capabilities should be reported, tracked and\nmonitored as a material weakness pursuant to the Federal Managers Financial Integrity Act\nof 1982, by May 20, 2011.\n\n\n\n\n                                                                                        16\n\x0c                                                                          APPENDIX III\n\n\n\nADDITIONAL BACKGROUND\nINFORMATION\nThe Millennium Challenge Corporation (MCC) fulfills its mission to reduce poverty and\npromote sustainable economic growth by awarding compacts to eligible countries, and in\ndoing so it operates in a challenging business environment.                Therefore, on\nSeptember 27, 2007, MCC awarded a contract to develop the Business Intelligence and\nData Storage (BIDS) system in an effort to effectively carry out its work in this\nenvironment. BIDS aligns with the Millennium Challenge Corporation Strategic Plan\n2006\xe2\x80\x932011, Strategic Goal #4: \xe2\x80\x9cBuild MCC\xe2\x80\x99s capabilities to achieve its primary strategic\ngoals.\xe2\x80\x9d It further supports the three primary strategic goals: (1) to develop its human\nresources and financial and administrative capacity; (2) to articulate clear processes,\npolicies, and quality standards; and (3) to build strong support systems to enable MCC\nto achieve its mission. BIDS was supposed to enable MCC to meet these four strategic\ngoals by providing the capability to link financial management and performance data,\nand in turn to improve MCC\xe2\x80\x99s programmatic effectiveness, operational efficiency, and\nability to show results. The contractor was required to deliver the system to meet MCC\xe2\x80\x99s\nneeds no later than March 27, 2008.\n\nBy March 2008, MCC realized that BIDS did not function as intended. At that time, MCC\nmanagement made a decision to halt the project. In September 2008, MCC modified\nthe contract to refine the requirements for three specific aspects: (1) data collection,\n(2) workflow and document management, and (3) reporting. In addition, MCC changed\nthe named of BIDS to the MCC Integrated Data Analysis System (MIDAS). In\nMarch 2009, MCC began using MIDAS in some countries.\n\nTo date, MCC has obligated almost $7.4 million against the contract and paid the\ncontractor more than $6.9 million. 14\n\n\n\n\n14\n     Unaudited.\n\n\n                                                                                     17\n\x0cU.S. Agency for International Development\n        Office of Inspector General\nFor the Millennium Challenge Corporation\n             1401 H Street, NW\n          Washington, DC 20005\n            Tel: (202) 216-6960\n            Fax: (202) 216-6984\n            www.usaid.gov/oig\n\x0c"